Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]

From: Lewis Watson (lists_at_visionsix.com)
Date: 08/05/03

  • Next message: Michael Collette: "Re: Kerberos in the handbook"
    To: <security-advisories@freebsd.org>
    Date: Tue, 5 Aug 2003 11:58:33 -0500
    
    

    > NOTE WELL: Any statically linked applications that are not part of
    > the base system (i.e. from the Ports Collection or other 3rd-party
    > sources) must be recompiled.
    >
    > All affected applications must be restarted for them to use the
    > corrected library. Though not required, rebooting may be the easiest
    > way to accomplish this.
    >

    I have upgraded my 4.8 box to 4.8 p1. How do I verify what applications
    need to be patched and how do I make sure that the above noted statically
    linked applications are patched after I am done?
    Thanks a bunch!
    Lewis

    ----- Original Message -----
    From: "FreeBSD Security Advisories" <security-advisories@freebsd.org>
    To: "FreeBSD Security Advisories" <security-advisories@freebsd.org>
    Sent: Tuesday, August 05, 2003 7:02 AM
    Subject: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    >
    ==========================================================================
    ===
    > FreeBSD-SA-03:08.realpath Security
    Advisory
    > The FreeBSD
    Project
    >
    > Topic: Single byte buffer overflow in realpath(3)
    >
    > Category: core
    > Module: libc
    > Announced: 2003-08-03
    > Credits: Janusz Niewiadomski <funkysh@isec.pl>,
    > Wojciech Purczynski <cliph@isec.pl>,
    > CERT/CC
    > Affects: All releases of FreeBSD up to and including 4.8-RELEASE
    > and 5.0-RELEASE
    > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC
    > Corrected: 2003-08-03 23:46:24 UTC (RELENG_5_0)
    > 2003-08-03 23:43:43 UTC (RELENG_4_8)
    > 2003-08-03 23:44:12 UTC (RELENG_4_7)
    > 2003-08-03 23:44:36 UTC (RELENG_4_6)
    > 2003-08-03 23:44:56 UTC (RELENG_4_5)
    > 2003-08-03 23:45:41 UTC (RELENG_4_4)
    > 2003-08-03 23:46:03 UTC (RELENG_4_3)
    > 2003-08-03 23:47:39 UTC (RELENG_3)
    > FreeBSD only: NO
    >
    > 0. Revision History
    >
    > v1.0 2003-08-03 Initial release
    > v1.1 2003-08-04 Updated information for lukemftpd
    >
    > I. Background
    >
    > The realpath(3) function is used to determine the canonical,
    > absolute pathname from a given pathname which may contain extra
    > ``/'' characters, references to ``/./'' or ``/../'', or references
    > to symbolic links. The realpath(3) function is part of the FreeBSD
    > Standard C Library.
    >
    > II. Problem Description
    >
    > An off-by-one error exists in a portion of realpath(3) that computes
    > the length of the resolved pathname. As a result, if the resolved
    > path name is exactly 1024 characters long and contains at least
    > two directory separators, the buffer passed to realpath(3) will be
    > overwritten by a single NUL byte.
    >
    > III. Impact
    >
    > Applications using realpath(3) MAY be vulnerable to denial of service
    > attacks, remote code execution, and/or privilege escalation. The
    > impact on an individual application is highly dependent upon the
    > source of the pathname passed to realpath, the position of the output
    > buffer on the stack, the architecture on which the application is
    > running, and other factors.
    >
    > Within the FreeBSD base system, several applications use realpath(3).
    > Two applications which are negatively impacted are:
    >
    > (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to
    > process the MLST and MLSD commands. The vulnerability may be
    > exploitable, leading to code execution with superuser privileges.
    >
    > lukemftpd(8) was installed (but not enabled) by default in
    > 4.7-RELEASE and in 4-STABLE dated Jun 20 21:13:33 2002 UTC through
    > Nov 12 17:32:47 2002 UTC. It is not built or installed by default
    > in any other release.
    >
    > If the `-r' option to lukemftpd is used (as suggested by the
    > example /etc/inetd.conf supplied in 4.7-RELEASE), then successful
    > exploitation leads leads to code execution with the privileges of
    > the authenticated user (rather than superuser privileges).
    >
    > (2) sftp-server(8), part of OpenSSH: realpath(3) is used to process
    > chdir commands. This vulnerability may be exploitable, leading
    > to code execution with the privileges of the authenticated user.
    >
    > At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained
    > the following applications which appear to use realpath(3). These
    > applications have not been audited, and may or may not be vulnerable.
    > There may be additional applications in the FreeBSD Ports Collection
    > that use realpath(3), particularly statically-linked applications and
    > applications added since 4.8-RELEASE.
    >
    > BitchX-1.0c19_1
    > Mowitz-0.2.1_1
    > XFree86-clients-4.3.0_1
    > abcache-0.14
    > aim-1.5.234
    > analog-5.24,1
    > anjuta-1.0.1_1
    > aolserver-3.4.2
    > argus-2.0.5
    > arm-rtems-gdb-5.2_1
    > avr-gdb-5.2.1
    > ccache-2.1.1
    > cdparanoia-3.9.8_4
    > cfengine-1.6.3_4
    > cfengine2-2.0.3
    > cmake-1.4.7
    > comserv-1.4.3
    > criticalmass-0.97
    > dedit-0.6.2.3_1
    > drweb_postfix-4.29.10a
    > drweb-4.29.2
    > drweb_sendmail-4.29.10a
    > edonkey-gui-gtk-0.5.0
    > enca-0.10.7
    > epic4-1.0.1_2
    > evolution-1.2.2_1
    > exim-3.36_1
    > exim-4.12_5
    > exim-ldap-4.12_5
    > exim-ldap2-4.12_5
    > exim-mysql-4.12_5
    > exim-postgresql-4.12_5
    > fam-2.6.9_2
    > fastdep-0.15
    > feh-1.2.4_1
    > ferite-0.99.6
    > fileutils-4.1_1
    > finfo-0.1
    > firebird-1.0.2
    > firebird-1.0.r2
    > frontpage-5.0.2.2623_1
    > galeon-1.2.8
    > galeon2-1.3.2_1
    > gdb-5.3_20030311
    > gdb-5.2.1_1
    > gdm2-2.4.1.3
    > gecc-20021119
    > gentoo-0.11.34
    > gkrellmvolume-2.1.7
    > gltron-0.61
    > global-4.5.1
    > gnat-3.15p
    > gnomelibs-1.4.2_1
    > gprolog-1.2.16
    > gracula-3.0
    > gringotts-1.2.3
    > gtranslator-0.43_1
    > gvd-1.2.5
    > hercules-2.16.5
    > hte-0.7.0
    > hugs98-200211
    > i386-rtems-gdb-5.2_1
    > i960-rtems-gdb-5.2_1
    > installwatch-0.5.6
    > ivtools-1.0.6
    > ja-epic4-1.0.1_2
    > ja-gnomelibs-1.4.2_1
    > ja-msdosfs-20001027
    > ja-samba-2.2.7a.j1.1_1
    > kdebase-3.1_1
    > kdelibs-3.1
    > kermit-8.0.206
    > ko-BitchX-1.0c16_3
    > ko-msdosfs-20001027
    > leocad-0.73
    > libfpx-1.2.0.4_1
    > libgnomeui-2.2.0.1
    > libpdel-0.3.4
    > librep-0.16.1_1
    > linux-beonex-0.8.1
    > linux-divxplayer-0.2.0
    > linux-edonkey-gui-gtk-0.2.0.a.2002.02.22
    > linux-gnomelibs-1.2.8_2
    > linux-mozilla-1.2
    > linux-netscape-communicator-4.8
    > linux-netscape-navigator-4.8
    > linux-phoenix-0.3
    > linux_base-6.1_4
    > linux_base-7.1_2
    > lsh-1.5.1
    > lukemftpd-1.1_1
    > m68k-rtems-gdb-5.2_1
    > mips-rtems-gdb-5.2_1
    > mod_php4-4.3.1
    > moscow_ml-2.00_1
    > mozilla-1.0.2_1
    > mozilla-1.2.1_1,2
    > mozilla-1.2.1_2
    > mozilla-1.3b,1
    > mozilla-1.3b
    > mozilla-embedded-1.0.2_1
    > mozilla-embedded-1.2.1_1,2
    > mozilla-embedded-1.3b,1
    > msyslog-1.08f_1
    > netraider-0.0.2
    > openag-1.1.1_1
    > openssh-portable-3.5p1_1
    > openssh-3.5
    > p5-PPerl-0.23
    > paragui-1.0.2_2
    > powerpc-rtems-gdb-5.2_1
    > psim-freebsd-5.2.1
    > ptypes-1.7.4
    > pure-ftpd-1.0.14
    > qiv-1.8
    > readlink-20010616
    > reed-5.4
    > rox-1.3.6_1
    > rox-session-0.1.18_1
    > rpl-1.4.0
    > rpm-3.0.6_6
    > samba-2.2.8
    > samba-3.0a20
    > scrollkeeper-0.3.11_8,1
    > sh-rtems-gdb-5.2_1
    > sharity-light-1.2_1
    > siag-3.4.10
    > skipstone-0.8.3
    > sparc-rtems-gdb-5.2_1
    > squeak-2.7
    > squeak-3.2
    > swarm-2.1.1
    > tcl-8.2.3_2
    > tcl-8.3.5
    > tcl-8.4.1,1
    > tcl-thread-8.1.b1
    > teTeX-2.0.2_1
    > wine-2003.02.19
    > wml-2.0.8
    > worker-2.7.0
    > xbubble-0.2
    > xerces-c2-2.1.0_1
    > xerces_c-1.7.0
    > xnview-1.50
    > xscreensaver-gnome-4.08
    > xscreensaver-4.08
    > xworld-2.0
    > yencode-0.46_1
    > zh-cle_base-0.9p1
    > zh-tcl-8.3.0
    > zh-tw-BitchX-1.0c19_3
    > zh-ve-1.0
    > zh-xemacs-20.4_1
    >
    > IV. Workaround
    >
    > There is no generally applicable workaround.
    >
    > OpenSSH's sftp-server(8) may be disabled by editing
    > /etc/ssh/sshd_config and commenting out the following line by
    > inserting a `#' as the first character:
    >
    > Subsystem sftp /usr/libexec/sftp-server
    >
    > lukemftpd(8) may be replaced by the default ftpd(8).
    >
    > V. Solution
    >
    > 1) Upgrade your vulnerable system to 4.8-STABLE
    > or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8
    > (4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches
    > dated after the respective correction dates.
    >
    > 2) To patch your present system:
    >
    > a) Download the relevant patch from the location below, and verify the
    > detached PGP signature using your PGP utility. The following patch
    > has been tested to apply to all FreeBSD 4.x releases and to FreeBSD
    > 5.0-RELEASE.
    >
    > # fetch
    ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch
    > # fetch
    ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc
    >
    > b) Apply the patch.
    >
    > # cd /usr/src
    > # patch < /path/to/patch
    >
    > c) Recompile your operating system as described in
    > <URL:http://www.freebsd.org/doc/handbook/makeworld.html>.
    >
    > NOTE WELL: Any statically linked applications that are not part of
    > the base system (i.e. from the Ports Collection or other 3rd-party
    > sources) must be recompiled.
    >
    > All affected applications must be restarted for them to use the
    > corrected library. Though not required, rebooting may be the easiest
    > way to accomplish this.
    >
    > VI. Correction details
    >
    > The following list contains the revision numbers of each file that was
    > corrected in FreeBSD.
    >
    > Branch
    Revision
    > Path
    > - ----------------------------------------------------------------------

    ---
    > RELENG_3
    >   src/lib/libc/stdlib/realpath.c
    1.6.2.1
    > RELENG_4_3
    >   src/UPDATING
    1.73.2.28.2.32
    >   src/lib/libc/stdlib/realpath.c
    1.9.4.1
    >   src/sys/conf/newvers.sh
    1.44.2.14.2.22
    > RELENG_4_4
    >   src/UPDATING
    1.73.2.43.2.45
    >   src/lib/libc/stdlib/realpath.c
    1.9.6.1
    >   src/sys/conf/newvers.sh
    1.44.2.17.2.36
    > RELENG_4_5
    >   src/UPDATING
    1.73.2.50.2.44
    >   src/lib/libc/stdlib/realpath.c
    1.9.8.1
    >   src/sys/conf/newvers.sh
    1.44.2.20.2.28
    > RELENG_4_6
    >   src/UPDATING
    1.73.2.68.2.42
    >   src/lib/libc/stdlib/realpath.c
    1.9.10.1
    >   src/sys/conf/newvers.sh
    1.44.2.23.2.31
    > RELENG_4_7
    >   src/UPDATING
    1.73.2.74.2.14
    >   src/lib/libc/stdlib/realpath.c
    1.9.12.1
    >   src/sys/conf/newvers.sh
    1.44.2.26.2.13
    > RELENG_4_8
    >   src/UPDATING
    1.73.2.80.2.3
    >   src/lib/libc/stdlib/realpath.c
    1.9.14.1
    >   src/sys/conf/newvers.sh
    1.44.2.29.2.2
    > RELENG_5_0
    >   src/UPDATING
    1.229.2.14
    >   src/lib/libc/stdlib/realpath.c
    1.11.2.1
    >   src/sys/conf/newvers.sh
    1.48.2.9
    > - ----------------------------------------------------------------------
    ---
    >
    > VII.  References
    >
    > <URL:http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt>
    > <URL:http://www.kb.cert.org/vuls/id/743092>
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.2 (FreeBSD)
    >
    > iD8DBQE/L5wUFdaIBMps37IRAiY7AJ9k0TOFUzlwC5rHbax4bXa8lluyFACfc82w
    > xpJrfCeDU4qOs8q33dXSsvw=
    > =5z4e
    > -----END PGP SIGNATURE-----
    > _______________________________________________
    > freebsd-security-notifications@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
    > To unsubscribe, send any mail to
    "freebsd-security-notifications-unsubscribe@freebsd.org"
    >
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Michael Collette: "Re: Kerberos in the handbook"